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Abstract 

Device-independent quantum key distribution aims to provide key distribution schemes 
whose security is based on the laws of quantum physics but which does not require any as- 
sumptions about the internal working of the quantum devices used in the protocol. This strong 
form of security, unattainable with standard schemes, is possible only when using correlations 
that violate a Bell inequality. We provide a general security proof valid for a large class of device- 
independent quantum key distribution protocols in a model in which the raw key elements are 
generated by causally independent measurement processes. The validity of this independence 
condition may be justifiable in a variety of implementations and is necessarily satisfied in a 
physical realization where the raw key is generated by N separate pairs of devices. Our work 
shows that device-independent quantum key distribution is possible with key rates comparable 
to those of standard schemes. 



1 Introduction 

A central problem in cryptography is the distribution among distant users of secret keys that can be 
used, e.g., for the secure encryption of messages. This task is impossible in classical cryptography 
unless assumptions are made on the computational power of the eavesdropper. Quantum key dis- 
tribution (QKD), on the other hand, offers security against adversaries with unbounded computing 
power p]. 

The ultimate level of security provided by QKD was made possible thanks to a change of 
paradigm. While in classical cryptography security relies on the hardness of certain mathematical 
problems, in QKD it relies on the fundamental laws of quantum physics. A side-effect of this 
change of paradigm, however, is that whereas the security of classical cryptography is based on the 
mathematical properties of the key itself — how the key was actually generated in practice being, 
in principle, irrelevant to the security of the scheme — in QKD, the security crucially depends on 
the physical properties of the key generation process, e.g., on the fact that the key was produced 
by measuring the polarization of a single-photon along well defined directions. But then, how can 
one asses the level of security provided by a real-life implementation of QKD, which will inevitably 
differs in inconspicuous ways from the idealized, theoretical description [2]? Errors in the encoding 
of the signals of Alice [3j, for instance, or features of the detectors not taken into account in the 
theoretical analysis [1] can be exploited to break the security of real-life QKD schemes. 
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Device-independent QKD (DIQKD) [5j aims at closing the gap between theoretical analyses 
and practical realizations of QKD by designing protocols whose security does not require a detailed 
characterization of the devices used to generate the secret key (such as, e.g., the dimension of 
the Hilbert space of the quantum signals or the type of measurements performed on them) [51 EJ 
[8]. This stronger form of cryptography is possible if it is based on the observation of a Bell 
inequality violation, which guarantees that the data produced by the quantum devices possess 
some amount of secrecy, independently of how exactly these data were generated [91 [10] . In some 
sense, DIQKD combines the advantages of classical and quantum cryptography: security against 
unbounded adversaries based on the law of quantum physics but which does not rely on the physical 
details of the generation process. A fully device-independent demonstration of QKD, however, still 
represents at present an experimental challenge (111 . 

In this work, we provide a general formalism for proving the security of DIQKD protocols. 
The key element in our analysis is a bound on the min-entropy of the raw key as a function of 
the observed Bell inequality violation. Compared to the security proof given in [5J El [12], which 
is restricted to protocols based on the Clauser-Horne-Shimony-Holt (CHSH) inequality [13], our 
approach is completely general and can be applied to protocols based on arbitrary Bell inequalities. 
Furthermore, it is not limited to "collective attacks" , but is valid against the most general attacks 
available to an eavesdropper. 

The DIQKD model that we consider, however, is partly restricted as it supposes that the 
measurement processes generating the different bits of the raw key are causally independent of each 
other (though they could be arbitrarily correlated). This independence condition is necessarily 
satisfied in a physical realization where the N bits of the raw key are generated by ./V separate 
pairs of devices used in parallel. Our analysis therefore shows that secure fully device-independent 
QKD is in principle possible. In a more practical realization in which a single pair of devices is 
used sequentially to generate the raw key, our measurement independence condition is satisfied 
if the devices have no internal memory, an assumption that may be justifiable in a variety of 
implementations. Note that our measurement independence condition and the level of security 
provided here is equivalent to the one considered in [144 [Tal 116) . The difference with respect to 
|14) [T5"l [T6] is that our proof does not rely only on the no-signalling principle but also on the validity 
of the quantum formalism. This results in much better key rates, comparable to those of standard 
QKD. 

2 General structure of a DIQKD protocol 

Let us start by presenting the class of protocols that we consider here, which are variations of Ekert's 
QKD protocol [H [T7] . Alice and Bob share a quantum channel that distributes entangled states 
and they both have a quantum apparatus to measure their incoming particles. These apparatuses 
take an input (the measurement setting) and produce an output (the measurement outcome). We 
label the inputs and outputs x and a for Alice, and y and b for Bob, and assume that they take a 
finite set of possible values. 

The first step of the protocol consists in measuring the pairs of quantum systems distributed 
to Alice and Bob. In most of the cases (say N), the inputs are set to fixed values Xi = x vsw and 
Di = yraw and the corresponding outputs a = (a%, . . . ajv) and b = (b±, . . . 6jv) constitute the two 
versions of the raw key. In the remaining systems, which represent a small random subset of all 
measured pairs (of size say iV es t ~ \ N), the inputs x,y are chosen uniformly at random. From 
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these N est pairs, Alice and Bob determine the relative frequencies q(ab\xy) with which the outputs 
a and b are obtained when using inputs x and y. These relative frequencies quantify the degree of 
non-local correlations between Alice and Bob's system through the violation of the Bell inequality 
associated to the DIQKD protocol. This Bell inequality is defined by a linear function g of the 
input-output correlations q(ab\xy): 

9 = ^2 9abx y q(ab\xy) < g\ oc , (1) 

a,b,x,y 

where g a bxy are the coefficients defining the Bell inequality and g\ oc is its local bound. A particular 
example of a Bell inequality is the CHSH inequality [T3] 

9chsh = £ (-l) a+b+xy q(ab\xy) < 2 , (2) 

a,b,x,y 

where a, b,x,y £ {0, 1}. 

After this initial "measure and estimate" phase, the rest of the protocol is similar to any other 
QKD protocol. Alice publishes an A^ pu b-bit message about a, which is used by Bob to correct his 
errors b — > b', such that b' = a with arbitrarily high probability. Alice and Bob then generate their 
final secret key k by applying a 2-universal random function to a and b', respectively |18j . 



3 The DIQKD model 

In the DIQKD approach, we do not assume that the devices behave according to predetermined 
specifications. For instance, the state emitted by the source of particles may be modified by the 
eavesdropper, or the implementation of the measuring devices may be imperfect. To analyze the 
security of a DIQKD protocol, we must therefore first specify how we model the N pairs of systems 
used to generate the raw key. 

These N pairs of systems are eventually all measured using the inputs x = x rscw and y = y TSC w, 
but since they where initially selected at random and each of them could have been part of the 
iVest pairs used to estimate the Bell violation, we must also consider what would have happened for 
any other inputs x and y. Let therefore P(ab|xy) denote the prior probability to obtain outcomes 
a and b if measurements x = (x\, . . . xn) and y = (y%, . . . yjy) are made on these N pairs. This 
unknown probability distribution characterizes the initial system at the beginning of the protocol. 

In the theoretical model that we consider here, we view the N bits of the raw key as arising 
from N commuting measurements on a joint quantum system p_ab- That is, we suppose that the 
probabilities P(ab|xy) can be written as 

N 

P(ab|xy) = ti[pAB ^( a »l x i) B i (&*!?/*)] > ( 3 ) 

i=l 

where Ai(ai\xi) are operators describing the measurements made by Alice on her z th system if she 
select input Xi (they thus satisfy Ai(cn\xj) > and Yl a - Ai(di\xi) = 1), where, similarly, £?j(6j|?/j) 
are operators describing the measurements made by Bob, and where these measurement operators 
satisfy the commutation relations 

[A i {a\x),B j {b\y)]=Q (4) 
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and 

[^(a|*M,(aV)] = [£*(%), £#V)] = (5) 

for all i,j and a, a' ,b,b' ,x,x' . Apart from the conditions Q and the state pab and the 
operators Ai(ai\xi) and Bi(bi\yi) are arbitrary and unspecified. The only constraint on them is 
that they should return measurement probabilities ^ compatible with the statistics of the N cst 
randomly selected pairs, characterized by the observed Bell-inequality violation g. 

In quantum theory, measurement operators that commute represent compatible measurements 
that do not influence each other and which can be performed independently of each other. The 
commutation relations Q between the operators Ai(a{\xi) describing Alice's measurement devices 
and the operators Bi(bi\yi) describing Bob's measurement devices are thus a necessary part of any 
DIQKD model; security cannot be guaranteed without them. 

The commutation relations ^ between the operators Ai(ai\xi) within Alice's location, and the 
commutation relations between the operators Bi(bi\yi) within Bob's location, represent, on the other 
hand, additional constraints specific to the DIQKD model considered here. These commutation 
relations are satisfied in an implementation in which the N bits of the raw key are generated by N 
separate and non-interacting pairs of devices used in parallel. 

In the extreme adversarial scenario where the provider of the devices is not trusted (e.g., if the 
provider is the eavesdropper itself), this independence condition can be guaranteed by shielding 
the N devices in such a way that no communication between them occurs during the measurement 
process. One could also consider a setup where the measurements performed by the N devices define 
space-like separated events. However, even in a space-like separated configuration, the ability to 
shield the devices is required if the provider of the devices is untrusted, as we cannot guarantee 
through other means that the devices do not send directly unwanted information to the adversary. 
But, then, the ability to shield the devices is already sufficient by itself to guarantee 

In a more practical implementation where the raw key is generated by repeatedly performing 
measurements in sequence on a single pair of devices, the commutation relation ^ expresses the 
condition that the functioning of the devices should not depend on any internal memory storing 
the quantum states and measurement results obtained in previous rounds. In the most general 
DIQKD model, the quantum devices could possess a quantum memory such that the state of the 
system after the i th measurement is passed to the successive round i + 1 (this state could also 
contain classical information about the measurement inputs and outputs of step i). If p l AB de- 
notes the state of the system before measurement i, the unormalised state passed to round i + 1 
in the event that Alice and Bob use inputs X{ and yt and obtain outputs and bi would then 
be A\(ai\xi)B\{bi\yi)p % ^ B Ai{ai\xi)Bi{bi\yi) where Ai(a\x) and Bi(bi\xi) are generalized measure- 
ment operators describing Alice's and Bob's measurements and satisfying '^2 a Ai{a\x)A^ i {a\x) = 
J2b Bi{b\y)B](b\y) = I. In such a model, the probabilities P(ab|xy) are then given by 

1 N 

P(ab|xy) = tr[[J it( ai |x i )sj(6 i |i«) PAB YlM<H\xi)Bi(bi\yi)] , (6) 

i=N i=l 

where p^s denotes the initial state at the beginning of the protocol, and the order in the products 
is relevant. Imposing commutation relations between all operators pertaining to different rounds 
corresponds to neglect the causal order in ^ due to memory effects. We then recover a model of 
the form ^ by defining Ai{a\x) = ^4j(a|x)^4j(a|x) and Bi(b\y) = Bi{b\y)B\(b\y). 
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4 Security Proof 



We now establish a bound on the secret key rate that can be achieved against an unrestricted 
eavesdropper Eve for a QKD protocol satisfying the description ([3]), Q, §5§. The information 
available to Eve can be represented by a quantum system that is correlated with the systems of 
Alice and Bob. We denote by pABS the corresponding (2N + l)-partite state, with tr^ PABS = PAB- 
This state describes the 2N + 1 systems at the beginning of the protocol. After the N systems of 
Alice have been measured, the joint state of Alice and Eve is described by the classical-quantum 
state 

PAS = ^(a|x raw )|a)(a| ® p £ \ a , (7) 

a 

where p £ \ a is the reduced state of Eve conditioned on Alice having observed the outcomes a. 

The length of the secret key k obtained by processing the raw key a with an error correct- 
ing protocol and a 2-universal random function is, up to terms of order y/N, lower bounded by 
i?mi n (a|£ ) — A'pub, where H m i n (a\£) is the min-entropy of a conditioned on Eve's information for 
the state and iV pu b is the length of the message published by Alice in the error-correcting phase. 
It is shown in [19] that the length of the public message necessary for correcting Bob's errors is 
Np U b = NH(a\b), up to terms of order y/~N. The quantity H(a\b) is the conditional Shannon 
entropy [19|, defined by 

H(a\b) = J2- p (a,b)log 2 P(a\b), (8) 

a, b 

where P(a, b) = l/NJ2iL\ b (°« = a >bi = b) is the average probability with witch the pair of 
outcomes a and b are observed. Computing the key rate of the DIQKD protocol, thus essentially 
amounts to determine the min-entropy H m i n (a\E). We show in the following how to put a bound 
on this quantity as a function of the estimated Bell violation g. 

Intuitively, we want to understand how the observed Bell violation limits the predictability 
of Alice's outcomes a. We start by considering the simpler case of one pair of systems (N = 1) 
uncorrelated to the adversary and characterized by the joint probabilities 

P(ab\xy) = tr[p A(a\x)B(b\y)\ . (9) 

If P(a|x raw ) < 1 for all a, then the outcome of the measurement x rscw cannot be perfectly predicted. 
The degree of unpredictability of a can be quantified by the probability to correctly guess a [20J. 
This guessing probability is equal to 

-Pguess(a) = maxP(o|x raw ) , (10) 

since the best guess that one can make about a is to output the most probable outcome. If 
-Pguess(a) = 1 then the outcome of the measurement x raw can be predicted with certainty, while 
lower values for P gue ss(a) imply less predictability. 
Let 

ffexp — ^2abxy 9abxyP( a b\xy) — tx[pG] denote the expected quantum violation of the Bell 
inequality ([T]) for the pair of systems described by ([9]), where 

G = 9abxyA(a\x)B{b\y) , (11) 

a,b,x,y 
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is the Bell operator associated to the inequality g and to the measurements A(a|x) and B(b\y). 
Independently of the precise form of the state p and of the measurement operators A(a|x) and 



B(b\y), the value of the Bell expectation <7 exp imposes a constraint on the guessing probability (10). 
In the case of the CHSH inequality, for instance, the following (tight) bound holds (see Appendix A 
and Ref. [25|) 



P guess (a) < I + 2 - , (12) 

for any of the two possible values x raw = or 1 entering in the CHSH definition ^ . 
More generally, let 

P g ue SS (a) < /(fitexp) , (13) 

be a bound between the guessing probability and the Bell violation, where / is a concave and 
monotically decreasing function. Such a bound can always be obtained using the semidefinite pro- 
gramming (SDP) method introduced in |21j . Indeed, the maximal value of the guessing probability 
-fguess(«) for a given value of the Bell expectation <7 exp corresponds to the solution of the following 
optimization problem 

max trip A(a\x rsm )] 

P,A,B (14) 

subject to tr[pG] = g exp , 

where the maximum is taken over all quantum states p and measurement operators j4(a|x) and 
B(b\y). Following reference [21] . one can introduce a hierarchy of SDP relaxations of the problem 
(114 ) . The solution to any of these SDP relaxations yields an upper-bound to the optimal solution 



of (14) and thus a bound of the form (13), as illustrated on Figure 1 for different Bell inequalities. 



The resulting function / is then always concave and monotonically decreasing, as follows from the 



convex nature of the problem (14) and of its associated SDP relaxations. Note that relaxations 
higher in the hierarchy necessitate more computational resources but yield better upper-bounds. 
In the asymptotic limit, one has the guarantee that these upper-bounds will converge to the exact 



maximum of (14), though usually a few steps in the hierarchy already give the optimal bound (this 
is the case for instance for the CHSH inequality). 

As the function / is concave, it can be upper-bounded by its linearization around any point go 

f(g) < Kgo) + v(gv)g , (15) 

where p(g ) = f(g ) - /' (50)50, v(g Q ) = /'(5o)- From concavity, it also follows that 

f(g) = min [p(g ) + v(g Q )g] . (16) 

90 



The bound (13) is thus equivalent to the family of inequalities P(a|x raw ) < p(go) + v(go) g ex p for 
all a and go . Since these inequalities are satisfied by any quantum distribution ([£]), and thus in 
particular by any state p, they are equivalent to the operator inequalities 

A(a\x ISLW ) < p(g )l + v(g )G , (17) 



valid for all a, go, and any set of measurements A(a|x) and B(b\y). A proof of the bound ( |13| for 
the CHSH inequality based on such operator inequalities is given in Appendix A. In general, the 



validity of any linear operator inequality of the form (17) can be established, independently of the 



Hilbert space dimension, using the dual formulation [24] of the SDP techniques introduced in [21J. 
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Figure 1: Guessing probability P gue ss(a) vs Bell violation g exp for the CHSH inequality, the chained 
inequality with n = 3 inputs |22j . and the Collins-Gisin-Linden-Massar-Popescu (CGLMP) inequal- 
ity with d = 3 outputs [23] . Note that the symmetry of these inequalities implies that the bounds 
on the guessing probabilities are the same for any inputs x raw entering into their definition. The 
horizontal scale represents the relative violation ranging from the local bound g\ oc to the maximal 
quantum bound g q . The CHSH curve is given by the function (12), the chained and CGLMP 



inequalities curves have been obtained by solving the problem (14) using the SDP relaxations in- 
troduced in |21j . These last two curves upper-bound the optimal values by at most O(10 -4 ). The 



solid line represents a linearization of the form (15) of the CHSH function around a point go 



We now move to the case of N pairs of systems described by ([3]) and ([7]) and evaluate the 
probability with which Eve can correctly guess the raw key a by measuring her side information 
£. Suppose thus that Eve performs some measurement z on her system E and obtains an outcome 
e. Let P(a\ XrawjCz) denote the probability distribution of a conditioned on Eve's information. 
On average, her probability to correctly guess a is given by ^ e P(e\z) max a P(a|x raw , ez), and her 
optimal correct-guessing probability (optimized over all measurements z) is [20J: 

-P g uess(a|£) = maxy^P(e|z)maxP(a|x raw ,e2:) . (18) 

z *■ — » a 

e 

Denote by p_AB\ez the 2iV-partite state prepared when Eve measures z and obtains the outcome e 
(with p AB = J2 e P (. e \ z )PAB\ez)i and wri te A(a|x raw ) = H? =1 Ai((ii\x TWN ), so that 

P(a|x raw ,ez) = tr [p AB \ ez A^a|x raw 

)] ■ (19) 

Consider the following A^-partite Bell operator 

N 

G(go) = l[Mgo)i + v(go)G i } ) (20) 
i=i 
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where Gi = ^2 abxy g a b xy Ai(ai\xi)Bi(bi\yi). The single-copy operator inequality (17) implies that 
for all a and <?o 

A(a|x raw ) < G(g ) . (21) 

To show this, write A\ = Ai{ai\x rscw ) and G\ = p(go)l + u(go)Gi. We thus want to establish 
that UiLi G i ~ Ui=i A i > °- Inequality 0h implies that for all i, < A\ < G\. Defining 



Zi = a - A\ > 0, note then that Uti G\ - fill A = Uti(Zi + A[) - Uf =1 A = Ult Z t + 



Z\ + • • • + n£i 1 AjZn. Inequality ( 21 ) then follows from the fact that each term in this sum 

is positive since it is the product of operators that are positive and, according to ([5]), commuting. 
Using inequality (21) in (18), we find 



guess 



(a|£) 



< 



< 



max) P(e\z) maxtr rp_4gi e;Z >l(a|x r 

e 

mfx^2,P{e-\z) mintr [p A t3\ezG(g )] 

e 

min tr [pABG(g )] 



(22) 



where to deduce the first inequality we used, in addition to (21), the positivity of p_AB\ez- 

Note now that the quantity tr [p^B G(go)] is a function of the marginal distributions P(ab|xy) 
of Alice and Bob only and does not involve directly the system of Eve. It is shown in [15], that 
Alice and Bob can estimate (with high probability) this quantity from the Bell violation g observed 
on the randomly-chosen iV es t pairs. More precisely, Lemma 5 from reference [15J implies that the 
inequality 



tr [PAB G(g 



< 



p{go) + v(go)gest + A r e st /4 



N 



holds except with probability exponentially small in N est . This, (22), and (16) imply that 



P g uess(a|£) < /(<? cst ) + AT 



-1/4 



est 



N 



(23) 



(24) 



Finally, it is shown in [20] that the (quantum) min-entropy H m - m (a\£) of a state of the form ([7]) 
is given by 

-Hmin(a|£) = - log 2 P gue ss(a|£) , (25) 



which implies the asymptotic secret key rate 

R > -log 2 /(ffest) 



H(a\b) 



(26) 



This bound on the secret-key rate constitutes the main result of our work. As mentioned previously, 
the second term H{a\b) is standard and quantifies the amount of communication needed for the 
error correcting phase. The non-trivial part of our bound corresponds to the first term, which 
quantifies the knowledge of Eve and thus the amount of privacy amplification needed to make her 
information arbitrarily small. 
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5 Key rate of specific protocols 



We now illustrate the above formalism on two DIQKD protocols, based respectively on the chained 
inequality [22], [T7j for n = 2 and n = 3 inputs. This inequality reads 

n— 1 x 

5c = E E E (-l) a+b+5{y k(ab\xy) < 2 , (27) 

a, b x=0 y=x—l 

where a, b G {0, 1} and x, y G {0, 1, . . . n — 1} are defined modulo n; the S(y) equals one when y = — 1 
and zero otherwise. Note that for n = 2, the chained inequality reduces to the CHSH-inequality. 

In both protocols, the observed correlations P{ab\xy) are obtained by measuring a two-qubit 
maximally entangled state \4>) = 1 00) + |11) along n possible directions for Alice and n + 1 for Bob. 
The inputs x raw = n — 1 and y raw = n correspond to measurements in the computational basis 
{|0), |1)} and are used to generate the raw key. The chained inequality violation is estimated using 
the inputs x,y G {0, . . . , n — 1} and the corresponding measurement directions are set-up to obtain 
the maximal violation of the chained inequality given by 2V2 and 3\/3 for the cases n = 2 and n = 3, 
respectively. For the sake of illustration, let us assume that the effect of the noise in the protocol 
amounts to the distribution of an entangled state v \4>){4>\ + (l— v)l/4 of visibility v. The conditional 
Shannon entropy H(a\b) is then equal to h[(l — v)/2], where h(x) = —x log 2 (x) — (1 — x) log 2 (l — x) 
is the binary entropy, and the observed Bell violations are equal to g = 2\[2v and g = 3\/3v. For 



the CHSH inequality, we then obtain using (12) and (26) the key-rate 



R > 1 - log 2 [l + y/2 - 2v 2 ] - h [(1 - v) /2] . (28) 

The value of the visibility such that this bound is equal to zero corresponds to a quantum-bit-error 
rate (QBER) of 5%. The key-rate for the chained inequality for n = 3 is plotted in Figure 2, based 
on the SDP bound of Figure 1. The critical visibility corresponds to a QBER of 7.5%, comparable 
to those obtained for standard QKD. Numerical evidence suggests that the chained inequalities for 
a larger number of settings, n > 3, provide worse lower bounds on the key rate. 

The fact that our approach can be applied to protocols based on arbitrary Bell inequalities is 
particularly interesting from a practical point of view. As shown in Figure 2, using inequalities 
other than CHSH may lead to better key rates in the presence of noise. It could also be very useful 
to improve the resistance of DIQDK protocols to photon detection inefficiencies [TT], since relevant 
improvements over CHSH can be obtained in realistic situations [26J. 

6 Conclusion 

We have shown how to compute a bound on the key rate of a large class of DIQKD protocol^] 
Our approach is based on a fundamental relation between the amount by which two quantum 
systems violate a Bell inequality and the unpredictability of their local measurement outcomes, 
as illustrated in Figure 1. A similar relation has been used in the context of device- independent 
randomness generation [25J. 

To derive our security proof, we have used the fact that the behavior of iV uses of the quantum 
devices is represented by probabilities of the form ^ with measurement operators satisfying the 

1 It is easy to see that our security proof can also be adapted to cover the less efficient protocols introduced in [7] 
and [27], or protocols with pre-processing of the raw key |17j . 
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Visibility v 



Figure 2: Key rate vs visibility for the CHSH inequality and the chained inequality with 3 inputs. 
The key rate is given by the formula (26) where the function / is given by (12) for the CHSH 
inequality and has been obtained by solving the problem (14) using the SDP relaxations introduced 
in [21] for the chained inequality (see Figure 1). Interestingly for the particular type of noise 
illustrated here, the chained inequality leads to better key rate than CHSH. 



commutation relations ([5]). These commutation relations can be satisfied in a physical realization 
in which N pairs of separated and non-interacting devices are used to generate the ./V symbols of 
the raw key. If necessary, these commutation relations can be enforced by shielding the devices in 
such a way that no communication between them occurs during the measurement process. Note 
that if the provider of the quantum apparatuses is untrusted, shielding of the devices is anyway 
required to guarantee that they do not send unwanted information to the adversary Admittedly, 
a realization requiring N different devices for the generation of N raw-key symbols is impractical. 
Our results nevertheless show that secure fully device-independent QDK with key rates comparable 
to those of traditional QKD is in principle possible. 

In a more realistic implementation, the raw key is generated by repeatedly performing measure- 
ments on a single pair of devices. In such a sequential implementation, the description provided by 
Eqs. ([3| and ^ corresponds to the assumption that the functioning of the measuring devices does 
not depend on an internal memory storing the quantum states and measurement results obtained 
at previous steps. While it would be desirable to extend our security proof to cover such possible 
memory effects, it may be reasonable to expect our no-memory condition to be satisfied in a variety 
of practical setups. After all, this no-memory condition is assumed in standard QKD, where the 
description of the devices fits in the formalism of Eqs. ([3]), Q, ([5]). But while we make here no 
assumptions at all on the measurement operators Ai(a,i\xi), Bi(bi\yi) (nor on the Hilbert spaces 
on which they are defined), in standard QKD one assumes that these measuring operators have a 
fixed and known value, which is identical for all i — an idealized assumption difficult to verify in 
practice. From this perspective, the DIQKD model considered here clearly represents a relaxation 
of standard QKD, and thus can only be more secure. 
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Note that the no- memory assumption allows for devices whose behaviour may vary with time (as 
implied by the dependence of Ai(a,i\xi) on the subindex i), it only excludes, e.g., that the response 
of the devices at step j depends on the particular measurement input at step j — k. Such kind of 
memory effects could arguably be excluded, for instance if no explicit memory has been introduced 
in the devices or if an "initialization" procedure is performed before every measurement based on 
an estimation of the apparatus memory characteristics. It may thus be legitimate to assume for 
particular implementations that no imperfections, failures, or implementation weaknesses would 
introduce detrimental memory effects (even though imperfections could be exploited in other ways 
by an eavesdropper). From this perspective, our work contributes to narrow the gap between 
theoretical security proofs and practical realizations of QKD. 

Note added after completion of this work: results closely related to the ones presented here have 
been obtained independently in Ref. [28J. 



Appendix: Local randomness vs CHSH violation 

Let P(ab\xy) with a, b,x,y E {0, 1} be a quantum distribution of the form ^ and let g = bxy 
(— l) a+b+xy P(ab\xy) be the corresponding CHSH expectation. We establish here (see also |25j ) that 



P(a\x)< l + lJ2-£ (29) 



for all a, x 6 {0, 1}, which implies inequality (12). We consider only the case a = and x = (the 



argument applies by symmetry to the other cases as well). 

Let G = ^2 a bx (— \) a+h+xy A(a\X)B(b\y). Following the discussion after Eq. (15), inequal- 
ity (29) is equivalent for go € [2, 2y/2[ to the series of operator inequalities 



.4(0|0) < \ + — L= - ^== G, (30) 

since f'(g) = —g/($>\f2 — (? 2 /4). By increasing the dimension of the Hilbert space, we can always 
take the measurement operators A{a\x) and B(b\y) to be projection operators. Define then oper- 
ators A x = A{a = 0|x) — A(a = l\x) and B y = B(b = 0\y) — B{b = l|y). It is easily verified that 
these new operators are hermitian and satisfy A x = 1 and By = 1. In term of these operators we 



can rewrite inequality ( 30 ) as 



- + -A) < - + ~r=^= ~ ^ G , (31) 

where G = AqBq + AqB\ + A\Bq — A\B\ We now prove this operator inequality. For this, let 
a = l/(y/8 - gl), 7i = ^fa/A, 72 = -g y/a/8, 73 = g /(l6,/a), 74 = 1/(8^"), and 75 = 
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(1 — gQ/4)\/a/4, and define the following four operators 



Ox 
O4 



-2 7l A 2 - 72 (Si - B 2 ) + 7 3 (A 2 5i + A 2 B 2 ) 
_2 72 - 2 73 ^i + 74(5! + B 2 ) 

-71(^1^1 + A X B 2 ) + 75(^2^1 - A 2 B 2 ) 
-7 4 (S! - 5 2 ) + 7 i(AiBi - A X B 2 ) 

- 75 (A 2 5i + A 2 5 2 ) 
2 74 - 2 75 Ai + 72 (5i + B 2 ) - 73(^2^1 - A 2 B 2 ) , 



Using the fact that A 
verified 



t,B% 



1, and [Ax, By] 
1 „ 

= --Aq <8> 1 + 



0, the following algebraic idendity is easily 



5o 



9l 



8\ 2 



9o 



-G. 



(32) 



Note now that since the left hand side is a sum of square, it is necessarily positive semidefinite, 
i- e -' Tli 0\Oi > 0, which immediately implies (31). Note that we have established inequality ( |29[ ) 
only for go £ [2, 2\[2[. The bound for go = 2\/2 follows from the fact that the function f(g) 



corresponding to the right-hand side of (29) is concave and monotonically decreasing and hence 
f(2V2) <lim^ /(2V2-e 



1/2. 



Finally, we show that inequality (29) is optimal, i.e., that there exists quantum states and 



operators that saturate the inequality. Consider the two-qubit state cos#|00) + sin#|ll), and the 
measurement operators Aq = a z ® 1, A\ = a x <g) 1, Bo = 1 ® cos4>a z + sin^Ua;, and B\ = 
1 ® cos 4>a z — sin <f>a x , where tan <p = sin 26 and 2y/l + sin 2 (2#) = g. It is straightforward to see 



that the corresponding quantum probabilities P(ab\xy) saturate the inequality (29) for all values 
of g e [2, 2^2]. 
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